CVE-2025-59144: CWE-506: Embedded Malicious Code in debug-js debug
debug is a JavaScript debugging utility. On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue has been resolved in 4.4.3.
AI Analysis
Technical Summary
CVE-2025-59144 is a high-severity supply chain vulnerability affecting the 'debug' JavaScript utility, widely used for debugging purposes in various JavaScript environments. On September 8, 2025, attackers successfully compromised the npm publishing account for the 'debug' package via a phishing attack. They published version 4.4.2, which was functionally identical to the previous patch but contained embedded malicious code targeting browser environments. This malicious payload attempts to intercept and redirect cryptocurrency transactions, specifically targeting browser-based wallets such as MetaMask, to attacker-controlled addresses. Importantly, the compromise affects only browser contexts where 'debug' is bundled or included directly via script tags; local, server-side, or command-line uses of the package remain unaffected. The malicious version was quickly removed from the npm registry on the same day, and a clean patch version 4.4.3 was released on September 13 to mitigate risks, including cache busting for private registries. Users are advised to upgrade to the latest version, clear caches, delete node_modules directories, and rebuild browser bundles to eliminate the malicious code. The vulnerability is classified under CWE-506 (Embedded Malicious Code), with a CVSS 4.0 score of 8.8, reflecting its high impact and ease of exploitation without authentication or user interaction. No known exploits in the wild have been reported yet, but the potential for financial theft via cryptocurrency redirection is significant.
Potential Impact
For European organizations, the primary impact lies in the potential theft of cryptocurrency assets through compromised browser-based wallets. Organizations involved in fintech, cryptocurrency trading, blockchain development, or any web applications that integrate 'debug' in browser contexts are at risk of financial loss and reputational damage. The stealthy nature of the malicious payload—redirecting transactions without user awareness—can lead to undetected asset diversion. Additionally, organizations relying on private npm registries or mirrors may inadvertently continue distributing the compromised package if caches are not purged, prolonging exposure. The incident also highlights risks in software supply chains, potentially undermining trust in open-source dependencies. Regulatory implications under GDPR and financial compliance frameworks may arise if customer assets are affected or if the breach leads to data exposure during incident response. The threat is less relevant for server-side applications but critical for any front-end JavaScript bundles used in production.
Mitigation Recommendations
1. Immediately upgrade all instances of the 'debug' package to version 4.4.3 or later. 2. Completely remove existing node_modules directories to prevent residual malicious code. 3. Clear all package manager caches globally and locally, including npm caches and any private registry caches. 4. Rebuild all browser bundles from scratch using clean dependencies to ensure no malicious code remains embedded. 5. For organizations operating private npm registries or mirrors, purge all cached versions of debug 4.4.2 and verify no compromised packages remain. 6. Conduct audits of front-end applications to confirm no direct script inclusions of the compromised version exist. 7. Monitor cryptocurrency wallet transactions for suspicious redirects or unauthorized transfers, particularly in environments using MetaMask or similar wallets. 8. Educate development and DevOps teams on supply chain security best practices, including phishing awareness and multi-factor authentication for publishing accounts. 9. Implement dependency scanning tools that can detect compromised or malicious package versions proactively. 10. Consider isolating or sandboxing browser environments that handle sensitive cryptocurrency operations to limit potential damage.
Affected Countries
Germany, France, United Kingdom, Netherlands, Switzerland, Sweden, Estonia
CVE-2025-59144: CWE-506: Embedded Malicious Code in debug-js debug
Description
debug is a JavaScript debugging utility. On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue has been resolved in 4.4.3.
AI-Powered Analysis
Technical Analysis
CVE-2025-59144 is a high-severity supply chain vulnerability affecting the 'debug' JavaScript utility, widely used for debugging purposes in various JavaScript environments. On September 8, 2025, attackers successfully compromised the npm publishing account for the 'debug' package via a phishing attack. They published version 4.4.2, which was functionally identical to the previous patch but contained embedded malicious code targeting browser environments. This malicious payload attempts to intercept and redirect cryptocurrency transactions, specifically targeting browser-based wallets such as MetaMask, to attacker-controlled addresses. Importantly, the compromise affects only browser contexts where 'debug' is bundled or included directly via script tags; local, server-side, or command-line uses of the package remain unaffected. The malicious version was quickly removed from the npm registry on the same day, and a clean patch version 4.4.3 was released on September 13 to mitigate risks, including cache busting for private registries. Users are advised to upgrade to the latest version, clear caches, delete node_modules directories, and rebuild browser bundles to eliminate the malicious code. The vulnerability is classified under CWE-506 (Embedded Malicious Code), with a CVSS 4.0 score of 8.8, reflecting its high impact and ease of exploitation without authentication or user interaction. No known exploits in the wild have been reported yet, but the potential for financial theft via cryptocurrency redirection is significant.
Potential Impact
For European organizations, the primary impact lies in the potential theft of cryptocurrency assets through compromised browser-based wallets. Organizations involved in fintech, cryptocurrency trading, blockchain development, or any web applications that integrate 'debug' in browser contexts are at risk of financial loss and reputational damage. The stealthy nature of the malicious payload—redirecting transactions without user awareness—can lead to undetected asset diversion. Additionally, organizations relying on private npm registries or mirrors may inadvertently continue distributing the compromised package if caches are not purged, prolonging exposure. The incident also highlights risks in software supply chains, potentially undermining trust in open-source dependencies. Regulatory implications under GDPR and financial compliance frameworks may arise if customer assets are affected or if the breach leads to data exposure during incident response. The threat is less relevant for server-side applications but critical for any front-end JavaScript bundles used in production.
Mitigation Recommendations
1. Immediately upgrade all instances of the 'debug' package to version 4.4.3 or later. 2. Completely remove existing node_modules directories to prevent residual malicious code. 3. Clear all package manager caches globally and locally, including npm caches and any private registry caches. 4. Rebuild all browser bundles from scratch using clean dependencies to ensure no malicious code remains embedded. 5. For organizations operating private npm registries or mirrors, purge all cached versions of debug 4.4.2 and verify no compromised packages remain. 6. Conduct audits of front-end applications to confirm no direct script inclusions of the compromised version exist. 7. Monitor cryptocurrency wallet transactions for suspicious redirects or unauthorized transfers, particularly in environments using MetaMask or similar wallets. 8. Educate development and DevOps teams on supply chain security best practices, including phishing awareness and multi-factor authentication for publishing accounts. 9. Implement dependency scanning tools that can detect compromised or malicious package versions proactively. 10. Consider isolating or sandboxing browser environments that handle sensitive cryptocurrency operations to limit potential damage.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-09T15:23:16.326Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68c866d82e2c3e5d6abeedc3
Added to database: 9/15/2025, 7:19:52 PM
Last enriched: 9/15/2025, 7:20:32 PM
Last updated: 9/18/2025, 7:20:38 AM
Views: 15
Related Threats
CVE-2025-9083: CWE-502 Deserialization of Untrusted Data in Ninja Forms
HighCVE-2025-8942: CWE-284 Improper Access Control in WP Hotel Booking
MediumCVE-2025-10631: Cross Site Scripting in itsourcecode Online Petshop Management System
MediumCVE-2025-10629: Command Injection in D-Link DIR-852
MediumCVE-2025-10628: Command Injection in D-Link DIR-852
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.